{"id":"CVE-2025-54988","details":"Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard.\n\nUsers are recommended to upgrade to version 3.2.2, which fixes this issue.","aliases":["GHSA-p72g-pv48-7w9x"],"modified":"2026-03-14T08:45:50.909904Z","published":"2025-08-20T20:15:33.070Z","related":["CGA-fpm3-9gj4-h78g"],"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/08/20/2"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/08/20/3"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00030.html"},{"type":"REPORT","url":"https://lists.apache.org/thread/8xn3rqy6kz5b3l1t83kcofkw0w4mmj1w"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tika","events":[{"introduced":"386b68b5ae87beafacfb63f33e0a9888dedb9c30"},{"fixed":"c5c9d00e475d48226dfe3f80a2891bfa5426043a"}],"database_specific":{"versions":[{"introduced":"1.13"},{"fixed":"3.2.2"}]}}],"versions":["1.13","1.13-rc1","1.14","1.14-rc1","1.15","1.15-rc1","1.16","1.17","2.0.0","2.0.0-ALPHA","2.0.0-BETA","2.1.0","2.2.0","2.2.1","2.3.0","2.4.0","2.4.1","2.5.0","2.6.0","2.7.0","2.8.0","2.9.0","3.0.0","3.0.0-BETA","3.0.0-BETA2","3.1.0","3.2.0","3.2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54988.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}